openbsd ppooe and qwest dsl

Monday, June 1. 2009
i thought i'd do a quick write up of my qwest dsl setup. i have a /29 (8 ip) static ip block from qwest and also a local network that sits behind nat. i started using this setup initially because the pppoe on my (old) alcatel modem was pretty unreliable requiring a power cycle every week or so. openbsd's pppoe has proven much more reliable (i've gone 5 months) but it also adds two other big benefits. it gives you one more ip address (what would normally be wasted on your dsl modem is now used by your openbsd box) and most importantly you can use pf to do your firewall.

hardware

any box with 3 nics (i'm using a lex twister from hacom.net with 4 gigabit nics em0-em3) and a dsl modem that can be placed into transparent bridging mode (i'm using a motorola 3347, most likely any modem qwest deploys -- i've used several others).

interfaces

em0

wired crossover to the dsl modem (assumes modem is 192.168.0.1 which is what qwest tends to use -- this allows you to get to the configuration webpage of the modem from the gateway machine if you need to). /etc/hostname.em0 follows:

inet 192.168.0.2 255.255.255.0

em1

internal nat'd subnet (not publicly routed, eg, 10.0.1.0/24). hang any machines you want to access behind nat behind here. /etc/hostname.em1 follows:

inet 10.0.1.1 255.255.255.0 10.0.1.255 group trusted

em3

internet-routable subnet (static ip block, eg, 75.160.178.8/29). hang any machines you want to use an ip from your qwest static ip block behind here. /etc/hostname.em3 follows:

inet 75.160.178.14 255.255.255.248

pppoe0

the actual pppoe connection through the dsl modem. the modem must be in transparent bridge mode for this work. /etc/hostname.pppoe0 follows:

inet 0.0.0.0 255.255.255.248 NONE pppoedev em0 authproto pap authname 'username' authkey 'password' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1

bridge0

bridge the pppoe connection with the publicly addressable interface. /etc/bridgename.bridge0 follows:

add em3
up

pf.conf



ext = "pppoe0"

OPEN_TCP = "{ auth, https, smtp, submission, www }"
OPEN_ICMP = "{ echorep, echoreq, timex, unreach }"

scrub in all
# this fixes weird behaviour w/ some webservers and dsl.
scrub out on $ext max-mss 1452

# redirect

# nat
nat on $ext inet from { trusted:network } to any -> $ext

# external
antispoof log for $ext

block in log on $ext
# allow pings to any of our static block ips
pass in quick on $ext inet proto icmp icmp-type $OPEN_ICMP
# allow connections to port $OPEN_TCP on the gateway machine (only)
pass in quick on $ext proto tcp from any to $ext port $OPEN_TCP
# allow ssh connections to any of our publicly routed ips.
pass in quick on $ext proto tcp from any to any port ssh
# allow www to our webserver.
pass in quick on $ext proto tcp from any to 75.160.178.10 port { www, https }
pass out quick on $ext